TOKYO — North Korea is quietly expanding both the scope and sophistication of its cyberweaponry, laying the groundwork for more devastating attacks, according to a report published Tuesday.
Kim Jong Un’s cyberwarriors have been accused of causing huge disruptions in recent years, including a massive hack on Sony Pictures in 2014 and last year’s WannaCry ransomware worm, as well as numerous attacks on South Korean servers.
Now, it appears that North Korea has also been using previously unknown holes in the Internet to carry out cyberespionage — the kind of activity that could easily metamorphose into full-scale attacks, according to a report from FireEye, a California-based cybersecurity company.
Although the North Korean regime bans the Internet for ordinary citizens and is decidedly behind the times with most technology, it has funneled a huge amount of time and money into building a cyber-army capable of outsmarting more technologically advanced countries such as South Korea.
“Our concern is that this could be used for a disruptive attack rather than a classic espionage mission, which we already know that the North Koreans are regularly carrying out,” said John Hultquist, director of intelligence analysis for FireEye.
FireEye said it has “high confidence” that a cyberespionage group it has identified as APT37 is responsible for a number of attacks, not just in South Korea but also in Japan, Vietnam and the Middle East. These include “zero-day vulnerability” attacks in which hackers find and exploit flaws in software before the developers have had an opportunity to create patches to fix them.
“It’s like your security system is a big wall, but someone knows that there’s a hole somewhere in that wall and can crawl through it,” Hultquist said. “It’s fairly rare.”
It’s also a sign of sophistication, as hackers are able to obtain access and defeat mature security programs, he said.
Experts say all the evidence suggests that Lazarus, the collective that launched the embarrassing attack on Sony and that was behind the $81 million cyberheist of a Bangladeshi bank in 2016, has links to the North Korean regime. It is also accused of masterminding last year’s WannaCry attack, which crippled companies, banks and hospitals around the world.
North Korea is also accused of numerous attacks in South Korea. The most recent involved the hacking of a South Korean cryptocurrency exchange. The bitcoin exchange Youbit lost 17 percent of its total assets in the December attack and said it would close as a result.
But the APT37 group appears to have been operating under the radar, exploiting holes in South Korean cybersecurity since 2012 to covertly gather intelligence on issues of concern for the North Korean regime: the government, military, media and human rights groups among them. These targets, combined with the times of day that attacks happen, strongly point to North Korea, FireEye said.
Last year, however, APT37 appeared to have targeted a Japanese entity involved in imposing sanctions on North Korea, a Vietnamese company and one in the Middle East.
FireEye did not name any of the targets for legal reasons, but its description of the attack on the company in the Middle East perfectly describes Orascom, an Egyptian telecommunications company that had started a cellphone company in North Korea only to have almost all its profits retained by the regime.
In addition to expanding its geographical reach, APT37 also appears to be targeting a wider range of industries, including chemicals, electronics, manufacturing, aerospace, automotive and health-care entities, the report said.
While the damage is currently much lower than that caused by the huge cyberattacks blamed on North Korea, it suggests that the regime is looking for new ways to launch stealthy attacks when it wants to.
The Worldwide Threat Assessment published by the U.S. intelligence community last week forecast that the potential for surprise attacks in the cyber-realm would increase over the next year.
Intelligence agencies expect North Korea to use cyber-operations to gather intelligence or launch attacks on South Korea and the United States.
“Pyongyang probably has a number of techniques and tools it can use to achieve a range of offensive effects with little or no warning, including distributed denial of service attacks, data deletion, and deployment of ransomware,” the assessment said.
Hultquist said APT37 was just the kind of tool North Korea could use for a surprise attack, partly because it has been operating at a relatively low level.
“Lazarus and the other actors that are well known all started as espionage. That’s the classic story again and again,” he said. He added that the Kim regime does not seem to care about consequences.
“North Korea has flouted global norms and taboos,” Hultquist said. “They are not necessarily concerned about retribution. They have adopted this criminal MO which flies in the face of just about any kind of international norm.”